Merge remote-tracking branch 'origin/main' into polynomial_redos

2026-04-22 23:35:14 +02:00 · 2021-09-07 17:35:07 +01:00
parent 4d5928ae5a 8fbe5c0adf
commit 7666d856b7
26 changed files with 565 additions and 104 deletions
--- a/ql/src/queries/security/cwe-601/UrlRedirect.qhelp
+++ b/ql/src/queries/security/cwe-601/UrlRedirect.qhelp
@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Directly incorporating user input into a URL redirect request without validating the input
+can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a
+malicious site that looks very similar to the real site they intend to visit, but which is
+controlled by the attacker.
+</p>
+</overview>
+
+<recommendation>
+<p>
+To guard against untrusted URL redirection, it is advisable to avoid putting user input
+directly into a redirect URL. Instead, maintain a list of authorized
+redirects on the server; then choose from that list based on the user input provided.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows an HTTP request parameter being used directly in a URL redirect
+without validating the input, which facilitates phishing attacks:
+</p>
+
+<sample src="examples/redirect_bad.rb"/>
+
+<p>
+One way to remedy the problem is to validate the user input against a known fixed string
+before doing the redirection:
+</p>
+
+<sample src="examples/redirect_good.rb"/>
+</example>
+
+<references>
+<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html">
+  XSS Unvalidated Redirects and Forwards Cheat Sheet</a>.</li>
+<li>Rails Guides: <a href="https://guides.rubyonrails.org/security.html#redirection-and-files">
+  Redirection and Files</a>.</li>
+</references>
+
+</qhelp>
--- a/ql/src/queries/security/cwe-601/UrlRedirect.ql
+++ b/ql/src/queries/security/cwe-601/UrlRedirect.ql
@@ -0,0 +1,22 @@
+/**
+ * @name URL redirection from remote source
+ * @description URL redirection based on unvalidated user input
+ *              may cause redirection to malicious web sites.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 6.1
+ * @sub-severity low
+ * @id rb/url-redirection
+ * @tags security
+ *       external/cwe/cwe-601
+ * @precision high
+ */
+
+import ruby
+import codeql.ruby.security.UrlRedirectQuery
+import codeql.ruby.DataFlow::DataFlow::PathGraph
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source.getNode(),
+  "a user-provided value"
--- a/ql/src/queries/security/cwe-601/examples/redirect_bad.rb
+++ b/ql/src/queries/security/cwe-601/examples/redirect_bad.rb
@@ -0,0 +1,5 @@
+class HelloController < ActionController::Base
+  def hello
+    redirect_to params[:url]
+  end
+end
--- a/ql/src/queries/security/cwe-601/examples/redirect_good.rb
+++ b/ql/src/queries/security/cwe-601/examples/redirect_good.rb
@@ -0,0 +1,11 @@
+class HelloController < ActionController::Base
+  VALID_REDIRECT = "http://cwe.mitre.org/data/definitions/601.html"
+
+  def hello
+    if params[:url] == VALID_REDIRECT
+      redirect_to params[:url]
+    else
+      # error
+    end
+  end
+end